Wire Guard Configuration

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Wire Guard Configuration

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Wire Guard Configuration
Wire Guard Configuration
2023-05-14 22:35:49
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.1.2

I have been able to get a full tunnel for wire guard to work. I however for the life of me cannot get access to my local lan no matter what acl I put in my place. My lan is 192.168.1.1/24 and my wire guard network is  192.168.9.1/24. I feel I am missing something blatantly obvious but just cant see it. Is there actually an omada cloud walkthrough for wire guard I have missed or anyone that has attempted and succeeded in what I am attempting to do.

 

 LAN Interface/VLAN 1 is 192.168.1.1/24

 

Wire Guard Interface/VLAN 404 is 192.168.9.1/24

Successfully connects and routes all traffic through the tunnel and out. No LAN access no matter what acl is put in place to allow access between the networks.

 

Interface Addresses on Client App

192.168.9.3/24

 

PEER's Allowed IPs on Client App

0.0.0.0/0, 192.168.9.0/24

"Desperate times call for desperate desperateness."
  0      
  0      
#1
Options
8 Reply
Re:Wire Guard Configuration
2023-05-16 02:36:16

  @Daggett 

 

Hi, Allowed IPs is the entry for the Client to identify whether to forward data from the VPN tunnel.
This can be filled in as 0.0.0.0/0 when proxy access is required, i.e. all traffic goes through the VPN tunnel.

 

When you want to implement site-to-site, you have to set the allowed IPS to the real LAN segment on the Server side.
If there are multiple segments on the other side, only the mask needs to be changed.
If there are completely different segments, add the new segment and separate it with a comma.

 

So PEER's Allowed IPs on Client App should be real LAN segment on the Server side, LAN Interface/VLAN 1 192.168.1.1/24.

Just striving to develop myself while helping others.
  0  
  0  
#2
Options
Re:Wire Guard Configuration
2023-05-16 21:14:03 - last edited 2023-05-16 21:15:08

So here is what I have for the client config on my phone...

 

Wire Guard (iPhone/Android)

[Interface]

Private Key: 8675309

Public Key: 9035768

Addresses 192.168.9.3/24

Listen Port: 51820

MTU: 1420

DNS Servers: 1.1.1.1, 1.0.0.1

[Peer]

Public Key: Puzzle

Preshared Key: Pieces

Endpoint: www redirected com 51820

Allowed IPs: 0.0.0.0/0, 192.168.1.1/24

 

So this is how my client configuration should look then on my mobile then? Asking here first since the last time I tried enabling it I locked up my router something fierce. 0.0.0.0/0 to my understanding makes the connection a full tunnel.

"Desperate times call for desperate desperateness."
  0  
  0  
#3
Options
Re:Wire Guard Configuration
2023-05-17 06:07:18

  @Daggett 

 

So is it working now?

Just striving to develop myself while helping others.
  0  
  0  
#4
Options
Re:Wire Guard Configuration
2023-05-17 20:42:23

  @Virgo 

Nah no change still no local access to the network even if I remove the 0.0.0.0/0 from the Allowed IPs list.

"Desperate times call for desperate desperateness."
  0  
  0  
#5
Options
Re:Wire Guard Configuration
2023-05-18 09:16:07

  @Daggett 

 

You need to make sure the allowed IP address you set on the ER605 Wireguard VPN Peers page is the same as the IP address shown on the Wireguard Client Interface page.

 

 

Just striving to develop myself while helping others.
  0  
  0  
#6
Options
Re:Wire Guard Configuration
2023-05-18 23:34:16

  @Virgo 

 

I have verified that it is the same on the wireguard client app and vpn peers page on omada. It is giving me a full tunnel according to the IP address I am getting from IP Chicken and a Net Tool app on my phone. When I change the addresses so they don't match I no longer connect or get a full tunnel.

"Desperate times call for desperate desperateness."
  0  
  0  
#7
Options
Re:Wire Guard Configuration
2023-05-19 06:10:56

  @Daggett 

 

Can you share the ACL settings with us? 

And I just test locally on my device, I just put in 0.0.0.0 in the Allowed IP on the VPN Clients and it's working OK, I have multiple VLANs and can access my main LAN.

Maybe the ACL settings you have caused the issue.

Just striving to develop myself while helping others.
  0  
  0  
#8
Options
Re:Wire Guard Configuration
2023-05-20 15:45:56 - last edited 2023-05-20 15:55:12

@Virgo 

 

My mistake was following this walkthrough (https://www.tp-link.com/us/support/faq/3559/) when trying to setup the wireguard vpn. I created a new LAN/VLAN interface for wireguard during the initial setup that had the last octet as .1 for the router, the wireguard interface at .2, and my client device using .3. Once I deleted the LAN/VLAN interface from the wired networks I was able to successfully connect and browse my local network when connected to the vpn. The only thing I don't like about it currently and what I need to figure out is I can hit every LAN/VLAN in my network. I eventually only want to be able to hit my NVR and Omada controller through the tunnel however, so I need to figure that out.

 

Is there someplace here that has better walkthroughs for cloud/controller users over local configuration users?

 

So the Solution to my initial issue was I had a LAN/VLAN interface for wireguard in my wired networks and that needed to be deleted to be able to navigate my local network even though it was successfully tunneling all my traffic through the vpn.

"Desperate times call for desperate desperateness."
  0  
  0  
#9
Options

Information

Helpful: 0

Views: 1162

Replies: 8

Related Articles